2018-09-01 13:20:25

by Jia-Ju Bai

[permalink] [raw]
Subject: [BUG] net: wireless: mwifiex: A possible sleep-in-atomic-context bug in mwifiex_wait_queue_complete()

mwifiex_usb_tx_complete() is a completion handler function for the
USB driver. So it should not sleep, but it is can sleep according to the
function call paths (from bottom to top) in Linux-4.16:

[FUNC] schedule_timeout
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c, 63:
schedule_timeout in mwifiex_wait_queue_complete
drivers/net/wireless/marvell/mwifiex/cmdevt.c, 673:
mwifiex_wait_queue_complete in mwifiex_send_cmd
drivers/net/wireless/marvell/mwifiex/main.c, 1046:
mwifiex_send_cmd in mwifiex_multi_chan_resync
drivers/net/wireless/marvell/mwifiex/usb.c, 288:
mwifiex_multi_chan_resync in mwifiex_usb_tx_complete

I do not find a good way to fix this bug, so I only report it.

This bug is found by my static analysis tool DSAC.


Best wishes,
Jia-Ju Bai


2018-09-03 11:54:20

by Jia-Ju Bai

[permalink] [raw]
Subject: Re: [EXT] [BUG] net: wireless: mwifiex: A possible sleep-in-atomic-context bug in mwifiex_wait_queue_complete()



On 2018/9/3 14:41, Ganapathi Bhat wrote:
> Hi Jia-Ju,
>
>> [FUNC] schedule_timeout
>> drivers/net/wireless/marvell/mwifiex/sta_ioctl.c, 63:
>> schedule_timeout in mwifiex_wait_queue_complete
>> drivers/net/wireless/marvell/mwifiex/cmdevt.c, 673:
>> mwifiex_wait_queue_complete in mwifiex_send_cmd
> Here, mwifiex_send_cmd does not call mwifiex_wait_queue_complete, because the sync parameter is false.
> Note that the function mwifiex_multi_chan_resync did call mwifiex_send_cmd with sync = false.

Thanks for the reply.
I check the code again, and find my report it false, sorry for that.


Best wishes,
Jia-Ju Bai

2018-09-03 11:00:38

by Ganapathi Bhat

[permalink] [raw]
Subject: RE: [EXT] [BUG] net: wireless: mwifiex: A possible sleep-in-atomic-context bug in mwifiex_wait_queue_complete()

SGkgSmlhLUp1LA0KDQo+DQo+IFtGVU5DXSBzY2hlZHVsZV90aW1lb3V0DQo+IGRyaXZlcnMvbmV0
L3dpcmVsZXNzL21hcnZlbGwvbXdpZmlleC9zdGFfaW9jdGwuYywgNjM6DQo+ICAgICAgc2NoZWR1
bGVfdGltZW91dCBpbiBtd2lmaWV4X3dhaXRfcXVldWVfY29tcGxldGUNCj4gZHJpdmVycy9uZXQv
d2lyZWxlc3MvbWFydmVsbC9td2lmaWV4L2NtZGV2dC5jLCA2NzM6DQo+ICAgICAgbXdpZmlleF93
YWl0X3F1ZXVlX2NvbXBsZXRlIGluIG13aWZpZXhfc2VuZF9jbWQNCkhlcmUsIG13aWZpZXhfc2Vu
ZF9jbWQgZG9lcyBub3QgY2FsbCBtd2lmaWV4X3dhaXRfcXVldWVfY29tcGxldGUsIGJlY2F1c2Ug
dGhlIHN5bmMgcGFyYW1ldGVyIGlzIGZhbHNlLg0KTm90ZSB0aGF0IHRoZSBmdW5jdGlvbiBtd2lm
aWV4X211bHRpX2NoYW5fcmVzeW5jIGRpZCBjYWxsIG13aWZpZXhfc2VuZF9jbWQgd2l0aCBzeW5j
ID0gZmFsc2UuDQo+IGRyaXZlcnMvbmV0L3dpcmVsZXNzL21hcnZlbGwvbXdpZmlleC9tYWluLmMs
IDEwNDY6DQo+ICAgICAgbXdpZmlleF9zZW5kX2NtZCBpbiBtd2lmaWV4X211bHRpX2NoYW5fcmVz
eW5jDQo+IGRyaXZlcnMvbmV0L3dpcmVsZXNzL21hcnZlbGwvbXdpZmlleC91c2IuYywgMjg4Og0K
PiAgICAgIG13aWZpZXhfbXVsdGlfY2hhbl9yZXN5bmMgaW4gbXdpZmlleF91c2JfdHhfY29tcGxl
dGUNCj4NClRoYW5rcywNCkdhbmFwYXRoaQ0K